Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 5 npm packages depend on openclaw (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.4.2.
DescriptionCVE.org
OpenClaw before 2026.4.2 contains an improper access control vulnerability in the iOS A2UI bridge that treats generic local-network pages as trusted origins. Attackers can inject unauthorized agent.request runs by loading attacker-controlled pages from local-network or tailnet hosts, polluting session state and consuming budget.
AnalysisAI
OpenClaw before version 2026.4.2 improperly trusts local-network pages in its iOS A2UI bridge, allowing attackers to inject unauthorized agent.request commands by serving malicious content from local-network or tailnet hosts. This can pollute session state and consume user budget without authentication, though exploitation requires user interaction and proximity to the target network.
Technical ContextAI
The vulnerability stems from improper origin validation in OpenClaw's iOS A2UI (Apple-to-UI) bridge component, which implements communication between Apple-native interfaces and web-based UI elements. The bridge fails to distinguish between trusted and untrusted origins when handling requests from local-network pages, treating all local-network and tailnet-accessible hosts as trusted. This is a fundamental access control flaw (CWE-346: Origin Validation Error) where the trust boundary is incorrectly defined. Attackers exploiting this can craft pages served from 192.168.x.x, 10.x.x.x ranges, or Tailscale-accessible nodes that the bridge will execute agent.request commands from without proper authorization checks.
RemediationAI
Upgrade OpenClaw to version 2026.4.2 or later to receive the vendor-released patch (commit 49d08382a90f71dabe2877b3f6729ad85f808d57). Users unable to immediately patch should restrict local-network access to OpenClaw by disabling access from untrusted WiFi networks, disconnecting from shared Tailscale tailnets, or using network-level segmentation to isolate OpenClaw instances from potentially compromised peers. If OpenClaw is running on a personal device, ensure WiFi networks are set to private (not open hotspots) and audit active Tailscale connections for suspicious peers. These workarounds reduce attack surface but do not fully mitigate the vulnerability; patching is the primary remediation. The patch is available via the GitHub security advisory referenced above.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26106